About delegated bypass for push protection

You can control which teams or roles have the ability to bypass push protection in your organization or repository.

Who can use this feature?

Push protection is available for organization-owned repositories in GitHub Enterprise Server if your enterprise has a license for GitHub Advanced Security.

About delegated bypass for push protection

Note

Delegated bypass for push protection is currently in beta and subject to change.

Delegated bypass for push protection lets you define contributors who can bypass push protection and adds an approval process for other contributors.

When you enable push protection, by default, anyone with write access to the repository can choose to bypass the protection by specifying a reason for allowing the push containing a secret. With delegated bypass, only specific roles and teams can bypass push protection. All other contributors are instead obligated to make a request for "bypass privileges", which is sent to a designated group of reviewers who either approve or deny the request to bypass push protection.

If the request to bypass push protection is approved, the contributor can push the commit containing the secret. If the request is denied, the contributor must remove the secret from the commit (or commits) containing the secret before pushing again.

To configure delegated bypass, organization owners or repository administrators must change the "Who can bypass push protection for secret scanning" setting in the UI from Anyone with write access to Specific roles and teams.

Organization owners or repository administrators are then prompted to create a "bypass list". The bypass list comprises the specific roles and teams, such as the security team or repository administrators, who oversee requests from non-members to bypass push protection. For more information, see "Configuring delegated bypass for an organization" and "Configuring delegated bypass for a repository."

Members of the bypass list can review and manage requests through the "Push protection bypass" page in the Security tab of the repository. For more information, see "Managing requests to bypass push protection."

Members of the bypass list are still protected from accidentally pushing secrets to a repository. If they attempt to push a commit containing a secret, their push is still blocked, but they can choose to bypass the block by specifying a reason for allowing the push. Members of the bypass list do not have to request bypass privileges from other members in order to override the block.

For information about enabling delegated bypass, see "Enabling delegated bypass for push protection."